SearchLeak: One Click on Microsoft 365 Copilot Exposes Emails and Files

What Happened?

On June 18, 2025, Varonis Threat Labs publicly disclosed a critical vulnerability in Microsoft 365 Copilot Enterprise Search, dubbed SearchLeak. The flaw allowed an attacker, with a single click by the victim on an apparently legitimate microsoft.com link, to steal emails, calendar events, and files indexed by Copilot. The vulnerability was reported to Microsoft in March 2025 and fixed before disclosure. According to Varonis, the attack exploited a chain of three weaknesses involving implicit authentication, malicious search parameters, and lack of origin validation in the search API. This incident recalls previous vulnerabilities like cross-site request forgery (CSRF) attacks in web applications, but with the particularity of affecting an enterprise AI assistant that indexes sensitive data across the entire organization.

How Did It Work?

SearchLeak exploited a chain of three weaknesses:

• Implicit authentication: Copilot search links on microsoft.com inherited the user's session without requiring additional verification. This meant that if a user was logged into Microsoft 365, any search link generated by Copilot automatically included their authentication token.
• Malicious search parameters: An attacker could embed specific search queries in the URL to extract sensitive data. For example, they could search for emails containing keywords like 'password' or 'confidential'.
• Lack of origin validation: The search API responded to requests from any origin, allowing exfiltration to an attacker-controlled server via a cross-origin request. This is similar to a misconfigured Cross-Origin Resource Sharing (CORS) vulnerability.

Upon clicking, the victim's browser executed the search in Copilot, and the results were sent to the attacker via a cross-origin request. Varonis demonstrated that the attack could be executed in less than a second, leaving no trace in user activity logs.

Why Is It Important?

This vulnerability is especially dangerous because:

• It uses a legitimate Microsoft domain, bypassing conventional anti-phishing filters. Malicious links appeared as 'https://copilot.microsoft.com/...', deceiving even trained users.
• It requires no additional credentials: the victim only needs an active session in Microsoft 365. This broadens the attack vector to any employee using Copilot.
• Copilot indexes sensitive information across the entire organization, including emails, calendars, and shared files. According to Microsoft, Copilot can access data from SharePoint, OneDrive, Teams, and Exchange Online, meaning a successful attack could expose trade secrets, business strategies, and internal communications.

According to Varonis, the attack could have compromised companies of any size using Microsoft 365 Copilot. Although no real incidents were reported, the potential severity is high. This incident adds to other security issues in AI assistants, such as prompt injection in ChatGPT or data leaks in Google Bard, underscoring the need for rigorous security audits in these systems.

What Will Be the Consequences?

Microsoft has already fixed the vulnerability, but the case sets a precedent regarding security risks in enterprise AI assistants. It is expected that:

• Other companies will review the security of their AI integrations. For example, Salesforce Einstein and Google Workspace AI may face similar audits.
• Microsoft will tighten origin validation in its APIs, possibly implementing stricter CORS restrictions and requiring additional authentication tokens for sensitive operations.
• IT administrators will reinforce awareness about seemingly safe links. Security training should include identifying apparently legitimate but manipulated URLs.

Additionally, this case could accelerate AI regulation in the enterprise sector. The European Union is already discussing the AI Act, and incidents like SearchLeak could influence transparency and security requirements for AI assistants.

What Should Readers Know?

If you use Microsoft 365 Copilot, ensure your organization applies Microsoft's security updates. Do not blindly trust links from known domains; always verify the URL. Enterprise AI security depends on both technology and user training. As an additional recommendation, companies should implement conditional access policies that require multi-factor authentication for sensitive actions performed through Copilot. It is also crucial to monitor Copilot search logs for anomalous patterns. Ultimately, SearchLeak is a reminder that AI adoption must be accompanied by a robust and up-to-date security strategy.